Add CrowdSec configuration and update docker-compose for integration
This commit is contained in:
Mohmmed Elfateh Sabry
@@ -1,19 +1,19 @@
|
||||
# authelia/configuration.yml
|
||||
# Authelia v4 configuration for: auth.gate.3launchpad.com
|
||||
# Behind Traefik (forward-auth), Redis for sessions, SQLite storage.
|
||||
# ⚠️ Replace all "changeme_*" values or (better) override via env vars:
|
||||
# AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY
|
||||
# Authelia v4 for: auth.gate.3launchpad.com
|
||||
# Behind Traefik (forward-auth), Redis sessions, SQLite storage.
|
||||
|
||||
#########################################################
|
||||
# Server & Logging
|
||||
#########################################################
|
||||
server:
|
||||
address: "tcp://0.0.0.0:9091" # Traefik talks to this
|
||||
address: "tcp://0.0.0.0:9091"
|
||||
buffers:
|
||||
read: 4096
|
||||
write: 4096
|
||||
|
||||
log:
|
||||
level: info
|
||||
|
||||
theme: auto
|
||||
|
||||
# Where to send users if they hit a protected resource without a Referer
|
||||
@@ -22,8 +22,8 @@ default_redirection_url: "https://traefik.gate.3launchpad.com/"
|
||||
#########################################################
|
||||
# Secrets (use env vars in production)
|
||||
#########################################################
|
||||
# Prefer setting via Docker env:
|
||||
# AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY
|
||||
# Prefer env vars:
|
||||
# AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY
|
||||
jwt_secret: "changeme_jwt_secret"
|
||||
|
||||
#########################################################
|
||||
@@ -32,7 +32,6 @@ jwt_secret: "changeme_jwt_secret"
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users_database.yml
|
||||
# New hashes should be argon2id. Use: `authelia crypto hash generate argon2`
|
||||
password:
|
||||
algorithm: argon2id
|
||||
iterations: 3
|
||||
@@ -42,17 +41,14 @@ authentication_backend:
|
||||
key_length: 32
|
||||
|
||||
#########################################################
|
||||
# Access Control (who can access what)
|
||||
# Access Control
|
||||
#########################################################
|
||||
access_control:
|
||||
default_policy: deny
|
||||
|
||||
rules:
|
||||
# Public status page
|
||||
- domain: "status.gate.3launchpad.com"
|
||||
policy: bypass
|
||||
|
||||
# Admin-only, require 2FA
|
||||
- domain: "traefik.gate.3launchpad.com"
|
||||
subject: ["group:admins"]
|
||||
policy: two_factor
|
||||
@@ -61,14 +57,12 @@ access_control:
|
||||
subject: ["group:admins"]
|
||||
policy: two_factor
|
||||
|
||||
# Admin/Devs with 1FA for these tools
|
||||
- domain_regex: "(grafana|prometheus|umami)\\.gate\\.3launchpad\\.com"
|
||||
subject:
|
||||
- "group:admins"
|
||||
- "group:devs"
|
||||
policy: one_factor
|
||||
|
||||
# Catch-all for any other subdomain under *.gate.3launchpad.com -> authenticated users
|
||||
- domain: "*.gate.3launchpad.com"
|
||||
subject:
|
||||
- "group:users"
|
||||
@@ -81,17 +75,15 @@ access_control:
|
||||
#########################################################
|
||||
session:
|
||||
name: authelia_session
|
||||
domain: "gate.3launchpad.com" # cookie scope (covers *.gate.3launchpad.com)
|
||||
same_site: Lax
|
||||
domain: "gate.3launchpad.com"
|
||||
same_site: lax # <- fixed (was 'Lax')
|
||||
expiration: 1h
|
||||
inactivity: 30m
|
||||
remember_me_duration: 1M
|
||||
# secret can be overridden by env AUTHELIA_SESSION_SECRET
|
||||
remember_me_duration: 1M # deprecated but auto-mapped; safe to keep
|
||||
secret: "changeme_session_secret"
|
||||
redis:
|
||||
host: redis
|
||||
port: 6379
|
||||
# tls: false
|
||||
|
||||
#########################################################
|
||||
# Regulation (anti-bruteforce)
|
||||
@@ -105,48 +97,21 @@ regulation:
|
||||
# Storage (SQLite on persistent volume)
|
||||
#########################################################
|
||||
storage:
|
||||
encryption_key: "changeme_storage_key" # override via AUTHELIA_STORAGE_ENCRYPTION_KEY
|
||||
encryption_key: "changeme_storage_key"
|
||||
local:
|
||||
path: /config/db.sqlite3
|
||||
|
||||
#########################################################
|
||||
# Notifier (choose one)
|
||||
# Notifier
|
||||
#########################################################
|
||||
# For testing/dev: writes emails to a file
|
||||
notifier:
|
||||
filesystem:
|
||||
filename: /config/notification.txt
|
||||
|
||||
# For production, comment the block above and use SMTP:
|
||||
# notifier:
|
||||
# smtp:
|
||||
# address: "smtp.gmail.com:587"
|
||||
# username: "no-reply@3launchpad.com"
|
||||
# # password via env: AUTHELIA_NOTIFIER_SMTP_PASSWORD
|
||||
# sender: "3Launchpad Auth <no-reply@3launchpad.com>"
|
||||
# subject: "[3Launchpad] {title}"
|
||||
# startup_check_address: "you@3launchpad.com"
|
||||
# disable_require_tls: false
|
||||
# tls:
|
||||
# server_name: "smtp.gmail.com"
|
||||
# skip_verify: false
|
||||
|
||||
#########################################################
|
||||
# TOTP / Duo / WebAuthn (2FA)
|
||||
# 2FA: TOTP
|
||||
#########################################################
|
||||
totp:
|
||||
issuer: "3launchpad.com"
|
||||
period: 30
|
||||
skew: 1
|
||||
|
||||
webauthn:
|
||||
disable: false
|
||||
timeout: 60s
|
||||
display_name: "3Launchpad Gateway"
|
||||
relying_party_id: "gate.3launchpad.com"
|
||||
|
||||
# If you plan to use Duo Push in the future:
|
||||
# duo_api:
|
||||
# hostname: api-XXXXXXXX.duosecurity.com
|
||||
# integration_key: YOUR_IKEY
|
||||
# # secret_key via env: AUTHELIA_DUO_API_SECRET_KEY
|
||||
|
||||
Reference in New Issue
Block a user